Advanced Management and Configuration
Frogbot offers two layers of configuration, listed from highest to lowest priority:
- Environment variables
- Frogbot Configuration under Administration > Xray Settings > Indexed Resources > Git Repositories tab.
Frogbot Configuration
Frogbot Configuration allows you to manage Frogbot settings for all your Git repositories from the JFrog Platform UI, without modifying repository files or CI pipelines.
Accessing Frogbot Configuration
- Navigate to Administration > Xray Settings > Indexed Resources > Git Repositories.
- The table displays your connected git servers, folders, and repositories.
- Click on any entry to open the Frogbot Configuration drawer.
Configuration Hierarchy
Settings follow your SCM structure and are inherited downward:
Git Server (e.g., github.com/my-org)
└── Folder (e.g., my-org/backend)
└── Repository (e.g., my-org/backend/api-service)- Server-level settings apply to all folders and repositories on that server.
- Folder-level settings override server settings and apply to all contents within.
- Repository-level settings override folder and server settings.
Each entity shows a configuration status:
| Status | Meaning |
|---|---|
| Default | Using system default configuration |
| Custom | Has a directly assigned configuration |
| Inherited | Using a parent entity's configuration |
Batch Configuration
To apply the same configuration to multiple entities at once:
- Select multiple servers, folders, or repositories in the table.
- Click Batch Configure.
- Configure settings in the drawer — they will be applied to all selected entities.
Configuration Tabs
The configuration drawer has three tabs:
Scans Configuration
Controls which scanners are enabled and their settings:
| Scanner | Settings |
|---|---|
| SCA | Enable/disable, exclude paths |
| Contextual Analysis | Enable/disable, exclude paths |
| IaC | Enable/disable, exclude paths |
| Secrets | Enable/disable, exclude paths, show findings in PR decoration, dynamic token validation, custom secrets |
| SAST | Enable/disable, exclude paths, exclude rules |
Additional settings:
- Snippet Detection (repository-level only) — detect copied open-source code snippets
- Global Exclude Paths — patterns to exclude across all scanners
- Global Include Paths — limit scanning to specific paths
- Advanced Settings:
- Fail on scan error — fail the CI job if any scanner errors
- Scanner download source — JFrog Releases (default) or air-gapped Artifactory repository
Auto-Fix
Controls automatic fix pull request behavior:
| Setting | Description | Default |
|---|---|---|
| Create automated fixes | Enable/disable auto-fix PRs | Enabled |
| Group all fixes into one PR | Aggregate all dependency fixes into a single PR | Disabled |
| Branch name template | Template for fix branch names | frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH} |
| Commit message template | Template for fix commit messages | Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION} |
| PR title template | Template for fix PR titles | [🐸 Frogbot] Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION} |
Available template variables:
| Variable | Description |
|---|---|
${IMPACTED_PACKAGE} | Name of the vulnerable package being upgraded |
${FIX_VERSION} | The version that resolves the vulnerability |
${BRANCH_NAME_HASH} | A unique hash for branch name uniqueness (required in branch name templates) |
PR Decorations
Controls how Frogbot comments on pull requests:
| Setting | Description | Default |
|---|---|---|
| Show all security finding types | Include both vulnerabilities and policy violations | Disabled |
| Skip comments when no issues found | Suppress the success comment on clean PRs | Disabled |
Environment Variables Reference
Connection
| Variable | Description | Required |
|---|---|---|
JF_URL | JFrog Platform URL | Yes |
JF_ACCESS_TOKEN | JFrog access token | Yes (or JF_USER + JF_PASSWORD) |
JF_USER | JFrog username | Alternative to JF_ACCESS_TOKEN |
JF_PASSWORD | JFrog password | Alternative to JF_ACCESS_TOKEN |
JF_GIT_TOKEN | Git provider personal access token | Yes |
JF_GIT_API_ENDPOINT | API endpoint for GitHub Enterprise | https://api.github.com |
JF_GIT_PROVIDER | Git provider: github, gitlab, bitbucketServer, azureRepos | — |
Policy Enforcement
| Variable | Description | Default | Commit Scan | PR Scan |
|---|---|---|---|---|
JF_PROJECT | JFrog project key for Xray policies | — | Yes | Yes |
Results Upload
| Variable | Description | Default | Commit Scan | PR Scan |
|---|---|---|---|---|
JF_UPLOAD_SBOM_TO_VCS | Publish SBOM to GitHub Dependency Graph | true | Yes | — |
Debugging
| Variable | Description |
|---|---|
JFROG_CLI_LOG_LEVEL | Set to DEBUG for verbose logging |
Air-Gapped Environments
By default, Frogbot downloads scanner executables from https://releases.jfrog.io. For air-gapped environments:
-
Create a Remote Repository in Artifactory:
- Type: Generic
- URL:
https://releases.jfrog.io - Uncheck Store Artifacts Locally
-
Under Administration > Xray Settings > Indexed Resources, select the Git Repositories tab.
-
From the three-dot menu, select Configure and set the Scanner download source to Air-gapped repository in the Advanced Settings section and provide the repository name.
Updated 15 days ago